Gozi Banking Trojan Uses "Dark Cloud" Botnet for Distribution

Gozi has been around for several years and had its source code leaked online on two occasions over the past years, which led to the development of a new Trojan in 2016, GozNym. The malware has continued to remain active and even adopted new techniques in recent campaigns, such as the use of the Dark Cloud infrastructure.

The campaigns Talos has observed over the past few months are relatively low-volume, target specific organizations, and reveal significqant effort into the creation of convincing emails. Not only are the distribution and the command and control (C&C) infrastructure active for short periods of time only, but the actors behind them also move to new domains and IP addresses fast, even for individual emails sent as part of the same campaign.

The spam emails carry Microsoft Word documents as attachments. When opened, the files display a decoy image claiming that the document was created using Office 365 and that the user should "Enable Editing" and then "Enable Content" to view it. If the victim follows through, embedded macros are executed to download and run the malware.

The VBA macro is usually executed when the document is closed, in an attempt to bypass sandbox detection. The macro downloads an HTA file from a remote server, which is executed without alerting the user. The infection process continues with the execution of an obfuscated JavaScript script to run a PowerShell script to download and execute the final payload on the victim's machine.

The vast majority of the malicious documents used in campaigns in the fourth quarter of 2017 are individualized. Although they appear similar, differences exist in embedded macro, code, and even color of the decoy image.

Talos also discovered that the campaigns have been ongoing for a couple of years, and that the image in the documents has been changed from time to time, the same as the VBA code in the malicious macros. The researchers even observed localized documents in some cases, suggesting that “the separate attacks are highly customized and targeted.”

The final payload is usually a banking Trojan based on the Gozi ISFB code base, but other malware families (CryptoShuffler, Sennoma and SpyEye) were also observed.

The malware loader used in these attacks uses anti-virtualization and carries two versions of the same DLL, each targeting a different architecture. Depending on the victim machine, the loader injects either the 32-bit or the 64-bit DLL into the explorer.exe process.

The distribution infrastructure used in these campaigns overlaps with that of Dark Cloud, a botnet initially analyzed in 2016. The botnet, Talos notes, is used in the distribution and administration of various malware families, including Gozi ISFB and Nymaim.

The botnet uses fast flux techniques to make the tracking of its backend infrastructure more difficult. “By frequently changing the DNS records associated with the malicious domains, attackers can make use of an extensive network of proxies, continuously changing the address of the IP being used to handle communications to the web servers the attacker controls,” Talos explains.

By looking at the domains and IP addresses associated with the infrastructure, the researchers discovered that it was serving a variety of cybercriminal activities, including carding forums, malware delivery and control, and spam.

Talos also discovered that the attackers aren’t using proxies and hosts in Western Europe, Central Europe, and North America, but mainly those located in Eastern Europe, Asia, and the Middle East.

“Gozi ISFB is a banking Trojan that has been used extensively by attackers who are targeting organizations around the world. It has been around for the past several years, and ongoing campaigns indicate that it will not be going away any time soon. Attackers are continuing to modify their techniques and finding effective new ways to obfuscate their malicious server infrastructure in an attempt to make analysis and tracking more difficult,” Talos concludes.